Fix CVE-2026-12912: heap-buffer-overflow in PixarLog ABGR decoding
Backport fix for CVE-2026-12912 to compat-libtiff3 (libtiff 3.9.4). Two upstream commits were cherry-picked and adapted to the 3.9.4 API to fix a heap-buffer-overflow in PixarLogDecode when handling 8BITABGR data with stride 3. The first patch adds a bounds check and fixes the output pointer advance, and the second extends the bounds check to handle multi-row strip decoding. CVE: CVE-2026-12912 Upstream patches: -ba2b04b114.patch -f9bda11bf2.patch Resolves: RHEL-189375 This commit was backported by Ymir, a Red Hat Enterprise Linux software maintenance AI agent. Assisted-by: Ymir
This commit is contained in:
parent
cf89677ea6
commit
072cfeac1c
@ -1,7 +1,7 @@
|
||||
Summary: Compatibility package for libtiff 3
|
||||
Name: compat-libtiff3
|
||||
Version: 3.9.4
|
||||
Release: 15%{?dist}
|
||||
Release: 16%{?dist}
|
||||
|
||||
License: libtiff
|
||||
Group: System Environment/Libraries
|
||||
@ -44,6 +44,10 @@ Patch35: libtiff-3.9.4-CVE-2025-9900.patch
|
||||
# from upstream, for <= 4.7.1, RHEL-159315
|
||||
# https://gitlab.com/libtiff/libtiff/-/commit/782a11d6b5b61c6dc21e714950a4af5bf89f023c
|
||||
Patch36: libtiff-CVE-2026-4775.patch
|
||||
# from upstream, RHEL-189375
|
||||
# https://gitlab.com/libtiff/libtiff/-/commit/ba2b04b114c5dd945107ccc613cedfcca3af73bb
|
||||
# https://gitlab.com/libtiff/libtiff/-/commit/f9bda11bf2fc819b971517582666d56f18b1bc3f
|
||||
Patch37: libtiff-CVE-2026-12912.patch
|
||||
|
||||
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root
|
||||
BuildRequires: zlib-devel libjpeg-devel
|
||||
@ -92,6 +96,7 @@ to use the current version of libtiff.
|
||||
%patch -P 34 -p1
|
||||
%patch -P 35 -p1 -b .CVE-2025-9900
|
||||
%patch -P 36 -p1 -b .CVE-2026-4775
|
||||
%patch -P 37 -p1 -b .CVE-2026-12912
|
||||
|
||||
# Use build system's libtool.m4, not the one in the package.
|
||||
rm -f libtool.m4
|
||||
@ -136,6 +141,10 @@ rm -rf $RPM_BUILD_ROOT
|
||||
%{_libdir}/libtiffxx.so.*
|
||||
|
||||
%changelog
|
||||
* Sat Jun 27 2026 RHEL Packaging Agent <redhat-ymir-agent@redhat.com> - 3.9.4-16
|
||||
- fix CVE-2026-12912: heap-buffer-overflow in PixarLog ABGR decoding
|
||||
(RHEL-189375)
|
||||
|
||||
* Wed Apr 22 2026 Michal Hlavinka <mhlavink@redhat.com> - 3.9.4-15
|
||||
- fix CVE-2026-4775: signed integer overflow in putcontig8bitYCbCr44tile (RHEL-159315)
|
||||
|
||||
|
||||
107
libtiff-CVE-2026-12912.patch
Normal file
107
libtiff-CVE-2026-12912.patch
Normal file
@ -0,0 +1,107 @@
|
||||
From 3bddf1548c274f4efaf113af871d87688dd605ab Mon Sep 17 00:00:00 2001
|
||||
From: waugustus <wangdw.augustus@qq.com>
|
||||
Date: Thu, 23 Apr 2026 17:05:53 +0800
|
||||
Subject: [PATCH 1/2] pixarlog: fix heap-buffer-overflow in 8BITABGR decode
|
||||
with stride 3 (#824)
|
||||
|
||||
---
|
||||
libtiff/tif_pixarlog.c | 18 +++++++++++++++++-
|
||||
1 file changed, 17 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/libtiff/tif_pixarlog.c b/libtiff/tif_pixarlog.c
|
||||
index a4c932cb..447244d3 100644
|
||||
--- a/libtiff/tif_pixarlog.c
|
||||
+++ b/libtiff/tif_pixarlog.c
|
||||
@@ -746,6 +746,19 @@ PixarLogDecode(TIFF* tif, tidata_t op, tsize_t occ, tsample_t s)
|
||||
|
||||
llen = sp->stride * td->td_imagewidth;
|
||||
|
||||
+ /* Fix: ABGR with stride=3 expands 3 samples to 4 output bytes per pixel */
|
||||
+ if (sp->user_datafmt == PIXARLOGDATAFMT_8BITABGR && sp->stride == 3)
|
||||
+ {
|
||||
+ tsize_t required = (tsize_t)td->td_imagewidth * 4;
|
||||
+ if (occ < required)
|
||||
+ {
|
||||
+ TIFFErrorExt(tif->tif_clientdata, module,
|
||||
+ "Output buffer too small for PixarLog ABGR data");
|
||||
+ memset(op, 0, (size_t)occ);
|
||||
+ return (0);
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
(void) s;
|
||||
assert(sp != NULL);
|
||||
sp->stream.next_out = (unsigned char *) sp->tbuf;
|
||||
@@ -825,7 +838,10 @@ PixarLogDecode(TIFF* tif, tidata_t op, tsize_t occ, tsample_t s)
|
||||
case PIXARLOGDATAFMT_8BITABGR:
|
||||
horizontalAccumulate8abgr(up, llen, sp->stride,
|
||||
(unsigned char *)op, sp->ToLinear8);
|
||||
- op += llen * sizeof(unsigned char);
|
||||
+ if (sp->stride == 3)
|
||||
+ op += td->td_imagewidth * 4;
|
||||
+ else
|
||||
+ op += llen * sizeof(unsigned char);
|
||||
break;
|
||||
default:
|
||||
TIFFErrorExt(tif->tif_clientdata, tif->tif_name,
|
||||
--
|
||||
2.52.0
|
||||
|
||||
|
||||
From c29a602200eb255f69587a35ef0c5a9f68c0ad8e Mon Sep 17 00:00:00 2001
|
||||
From: waugustus <wangdw.augustus@qq.com>
|
||||
Date: Thu, 7 May 2026 12:48:42 +0800
|
||||
Subject: [PATCH 2/2] pixarlog: complete ABGR bounds check for multi-row strip
|
||||
decoding
|
||||
|
||||
---
|
||||
libtiff/tif_pixarlog.c | 26 ++++++++++++++++++++++++++
|
||||
1 file changed, 26 insertions(+)
|
||||
|
||||
diff --git a/libtiff/tif_pixarlog.c b/libtiff/tif_pixarlog.c
|
||||
index 447244d3..993e1f33 100644
|
||||
--- a/libtiff/tif_pixarlog.c
|
||||
+++ b/libtiff/tif_pixarlog.c
|
||||
@@ -750,6 +750,12 @@ PixarLogDecode(TIFF* tif, tidata_t op, tsize_t occ, tsample_t s)
|
||||
if (sp->user_datafmt == PIXARLOGDATAFMT_8BITABGR && sp->stride == 3)
|
||||
{
|
||||
tsize_t required = (tsize_t)td->td_imagewidth * 4;
|
||||
+ tsize_t max_rows;
|
||||
+ tsize_t max_nsamples;
|
||||
+
|
||||
+ /*
|
||||
+ * Ensure at least one expanded output row fits.
|
||||
+ */
|
||||
if (occ < required)
|
||||
{
|
||||
TIFFErrorExt(tif->tif_clientdata, module,
|
||||
@@ -757,6 +763,26 @@ PixarLogDecode(TIFF* tif, tidata_t op, tsize_t occ, tsample_t s)
|
||||
memset(op, 0, (size_t)occ);
|
||||
return (0);
|
||||
}
|
||||
+
|
||||
+ /*
|
||||
+ * PixarLogDecode() may process multiple rows per call
|
||||
+ * (e.g. strip decoding). Limit nsamples so the total
|
||||
+ * output written by the loop below never exceeds occ.
|
||||
+ */
|
||||
+ max_rows = occ / required;
|
||||
+ max_nsamples = max_rows * llen;
|
||||
+
|
||||
+ /*
|
||||
+ * Truncate excess rows to preserve as much decoded data
|
||||
+ * as possible while avoiding output buffer overflow.
|
||||
+ */
|
||||
+ if (nsamples > max_nsamples)
|
||||
+ {
|
||||
+ TIFFWarningExt(tif->tif_clientdata, module,
|
||||
+ "PixarLog ABGR decode truncated to avoid "
|
||||
+ "output buffer overflow");
|
||||
+ nsamples = max_nsamples;
|
||||
+ }
|
||||
}
|
||||
|
||||
(void) s;
|
||||
--
|
||||
2.52.0
|
||||
|
||||
Loading…
Reference in New Issue
Block a user